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IN THE CLAIMS 

1 . (Original) In a first node of a physical network supporting multiple virtual network 
connections, a method to dynamically modify configuration data supporting 
virtual networks, the method comprising: 

receiving i) network address information associated with at least one host 
computer, and ii) a corresponding gateway identifier of a gateway in the physical 

network; 

generating a notification message including the network address 
information and the corresponding gateway identifier; and 

transmitting the notification message to a second node of the physical 
network enabling the second node to establish a virtual network connection 
between the second node and the first node on which to forward data messages 
to the at least one host computer based on the corresponding gateway identifier. 

2. (Original) A method as in claim 1 , wherein generating a notification message 

further comprises: 

generating at least a portion of the notification message in accordance 

with a distribution protocol utilized by service providers to disseminate routing 

policy information to customer edge nodes; and 

wherein transmitting a notification message includes: 

transmitting the network address information and the corresponding 

gateway identifier as an appendix to the notification message. 

3. (Original) A method as in claim 2, wherein the distribution protocol is based at 
least in part on an interautonomous system routing protocol and the virtual 
network connection between the second node and the first node is a virtual 
private network connection overlaid on the physical network, one end of the 
virtual private network connection terminating at the gateway identified by the 
corresponding gateway identifier. 
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4. (Original) A method as in claim 1 further comprising: 

transmitting routing policy attribute information in addition to the network 
address information and corresponding gateway identifier to the second node to 
more particularly define a policy for routing the data messages on a 
corresponding virtual network connection through the gateway to the at least one 
host computer. 

5. (Original) A method as in claim 1 , wherein the first and the second nodes are 
part of a network that does not inherently support encryption services and 
configuration data at the second node at least partially supports encryption of 
data messages forwarded to the at least one host computer through the gateway 
identified by the corresponding gateway identifier. 

6. (Original) A method as in claim 1 , wherein transmitting the network address and 
identifier includes: 

delivering the notification message including the network address and 
corresponding gateway identifier to multiple customer edge nodes of the physical 
network, each customer edge node updating its corresponding configuration data 
for establishing private networks between the customer edge nodes based on the 
network address and corresponding gateway identifier. 

7. (Original) A method as in claim 1 , wherein the first and second nodes are 
customer edge nodes in a network and the network supports virtual private 
networks terminating at the customer edge nodes. 

8. (Original) A method as in claim 1, wherein the network address information 
identifies a single host computer. 
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9. (Original) A method as in claim 1, wherein the network address information 
identifies a range of host computers that are part of a network coupled to the first 
node. 

10. (Original) A method as in claim 1, wherein the corresponding gateway identifier 
is an IPsec identity associated with the at least one host computer. 

1 1 . (Original) A computer system at a first node of a physical network that at least 
partially supports a virtual network connection, the computer system comprising: 

a processor; 

a memory unit that stores instructions associated with an application 
executed by the processor; 

a communication interface that supports communication with other nodes 
of the physical network; and 

an interconnect coupling the processor, the memory unit, and the 
communication interface, enabling the computer system to execute the 
application and perform operations of: 

receiving i) network address information associated with at least 

one host computer, and ii) a corresponding gateway identifier of a 

gateway in the physical network; 

generating a notification message including the network address 

information and the corresponding gateway identifier; and 

transmitting the notification message to a second node of the 

physical network enabling the second node to establish a virtual network 

connection between the second node and the first node on which to 

forward data messages to the at least one host computer based on the 

corresponding gateway identifier. 
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12. (Original) A computer system as in claim 1 1 that, when generating a notification 
message and respectively transmitting a notification message, further performs 
operations of: 

generating at least a portion of the notification message in accordance 
with a distribution protocol utilized by service providers to disseminate routing 
policy information to customer edge nodes; and 

transmitting the network address information and the corresponding 
gateway identifier as an appendix to the notification message. 



13. (Original) A computer system as in claim 12, wherein the distribution protocol is 
based at least in part on an interautonomous system routing protocol and the 
virtual network connection between the second node and the first node is a 
virtual private network connection overlaid on the physical network, one end of 
the virtual private network connection terminating at the gateway identified by the 
corresponding gateway identifier. 

14. (Original) A computer system as in claim 1 1 that further performs an operation 

of: 

transmitting routing policy attribute information in addition to the network 
address information and corresponding gateway identifier to the second node to 
more particularly define a policy for routing the data messages on a 
corresponding virtual network connection through the gateway to the at least one 
host computer. 



1 5. (Original) A computer system as in claim 1 1 , wherein the first and the second 
nodes are part of a network that does not inherently support encryption services 
and configuration data at the second node at least partially supports encryption 
of data messages forwarded to at least one host computer through the gateway 
identified by the corresponding gateway identifier. 
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16. (Original) A computer system as in claim 1 1 that, when transmitting the network 
address and identifier, further performs operations of : 

delivering the notification message including the network address and 
corresponding gateway identifier to multiple customer edge nodes of the physical 
network, each customer edge node updating its corresponding configuration data 
for establishing private networks between the customer edge nodes based on the 
network address and corresponding gateway identifier. 

17. (Original) A computer system as in claim 1 1 , wherein the first and second nodes 
are customer edge nodes in a network configured according to Request For 
Comment 2547 and the network supports virtual private networks terminating at 
the customer edge nodes. 

18. (Original) A computer system as in claim 1 1 , wherein the network address 
information identifies a single host computer. 

19. (Original) A computer system as in claim 1 1 , wherein the network address 
information identifies a range of host computers that are part of a network 
coupled to the first node. 

20. (Original) A computer system as in claim 1 1 , wherein the corresponding gateway 
identifier is a network address of the at least one host computer. 

21 . (Currently Amended) In a receiving node of a physical network supporting 
multiple virtual network connections, a method to dynamically modify 
configuration data associated with at least one of the multiple virtual network 
connections, the method comprising: 

receiving a notification message from a sending node of the physical 
network, the notification message including network address information and a 
corresponding gateway identifier of a gateway of the physical network; and 
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based on contents of the notification message, modifying a map at the 
receiving node to include the network address information , the corresponding 
gateway identifier, and configuration data identifying at least part of a virtual 
network connection between the receiving node and the sending node on which 
to forward data messages through the gateway to a destination node : and 

upon forwarding data messages through the receiving node, utilizing the 
map to identify on which virtual network to forward the data messages through 
the gateway to the destination node . 

22. (Canceled) 

23. (Original) A method as in claim 21 further comprising: 

at the receiving node including the map, receiving a data message to be 
forwarded based on a corresponding destination address; 

comparing the destination address and a source address of the data 
message to network address information stored in the map; 

identifying, based on the destination address, how to transmit the data 
message to the destination node based on a corresponding virtual network 
connection specified in the map. 

24. (Original) A method as in claim 23 further comprising: 

in response to identifying that the destination address of the data message 
matches network address information in the map, establishing the corresponding 
virtual network connection specified in the map on which to transmit the data 
message to the destination node. 

25. (Original) A method as in claim 24, wherein establishing a virtual network 
connection includes establishing a virtual private network connection between 
the receiving node and sending node based on IKE (Internet Key Exchange) 
protocol and Ipsec (Internet Protocol Security). 
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26. (Original) A method as in claim 23 further comprising: 

in response to identifying that the destination address of the data message 
matches network address information in the map, identifying whether a 
corresponding virtual network connection specified in the map has been 
established and, if so, transmitting the data message on the established virtual 
network connection to the destination node. 

27. (Original) A method as in claim 21 , wherein the network address information 
identifies a single host computer. 

28. (Original) A method as in claim 21 , wherein the network address information 
identifies a range of host computers that are part of a network coupled to the first 
node. 

29. (Original) A method as in claim 21 , wherein the corresponding gateway identifier 
is an IPsec identity associated with the at least one host computer. 

30. (Original) A method as in claim 21 , wherein the gateway is located in the 
sending node. 

31 . (Currently Amended) A computer system at a receiving node of a physical 
network that at least partially supports a virtual network connection, the computer 
system comprising: 

a processor; 

a memory unit that stores instructions associated with an application 

executed by the processor; 

a communication interface that supports communication with other nodes 

of the physical network; and 
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an interconnect coupling the processor, the memory unit, and the 
communication interface, enabling the computer system to execute the 
application and perform operations of: 

receiving a notification message from a sending node of the 
physical network, the notification message including network address 
information and a corresponding gateway identifier of a gateway of the 

physical network; and 

based on contents of the notification message, modifying a map at 
the receiving node to include the network address informationjhe 
corresponding gateway identifier, and configuration data identifying at 
least part of a virtual network connection between the receiving node and 
the sending node on which to forward data messages through the 
gateway to a destination node : and 

utilizing the map to identify on which virtual network to forward the 
data messages through the gateway to the destinatio n node to support 
forwarding of data messages through the receiving node . 

32. (Canceled) 

33. (Original) A computer system as in claim 31 that further performs operations of : 

at the receiving node including the map, receiving a data message to be 
forwarded based on a corresponding destination address; 

comparing the destination address and a source address of the data 
message to network address information stored in the map; 

identifying, based on the destination address, how to transmit the data 
message to the destination node based on a corresponding virtual network 
connection specified in the map. 

34. (Original) A computer system as in claim 33 that further performs operations of: 
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in response to identifying that the destination address of the data message 
matches network address information in the map, establishing the corresponding 
virtual network connection specified in the map on which to transmit the data 
message to the destination node. 

35. (Original) A computer system as in claim 34, wherein establishing a virtual 
network connection includes establishing a virtual private network connection 
between the receiving node and sending node based on IKE (Internet Key 
Exchange) protocol and Ipsec (Internet Protocol Security). 

36. (Original) A computer system as in claim 33 that further performs operations of: 

in response to identifying that the destination address of the data message 
matches network address information in the map, identifying whether a 
corresponding virtual network connection specified in the map has been 
established and, if so, transmitting the data message on the established virtual 
network connection to the destination node. 

37. (Original) A computer system as in claim 31 , wherein the network address 
information identifies a single host computer. 

38. (Original) A computer system as in claim 31 , wherein the network address 
information identifies a range of host computers that are part of a network 
coupled to the first node. 

39. (Original) A computer system as in claim 31 , wherein the corresponding gateway 
identifier is a network address of the at least one host computer. 

40. (Original) A computer system as in claim 31 , wherein the gateway is located in 
the sending node. 
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41. (Original) A computer program product including a computer-readable medium 
having instructions stored thereon for processing data information, such that the 
instructions, when carried out by a processing device, enable the processing 
device to perform the steps of: 

receiving i) network address information associated with at least one host 
computer, and ii) a corresponding gateway identifier of a gateway in the physical 
network; 

generating a notification message including the network address 
information and the corresponding gateway identifier; and 

transmitting the notification message to a second node of the physical 
network enabling the second node to establish a virtual network connection 
between the second node and the first node on which to forward data messages 
to the at least one host computer based on the corresponding gateway identifier. 

42. (Original) A computer system at a first node of a physical network that at least 
partially supports a virtual network connection, the computer system comprising: 

means for receiving i) network address information associated with at 
least one host computer, and ii) a corresponding gateway identifier of a gateway 
in the physical network; 

means for generating a notification message including the network 
address information and the corresponding gateway identifier; and 

means for transmitting the notification message to a second node of the 
physical network enabling the second node to establish a virtual network 
connection between the second node and the first node on which to forward data 
messages to the at least one host computer based on the corresponding 
gateway identifier. 

43. (Currently Amended) A computer program product including a computer- 
readable medium having instructions stored thereon for processing data 
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information, such that the instructions, when carried out by a processing device, 
enable the processing device to perform the steps of: 

receiving a notification message from a sending node of the physical 
network, the notification message including network address information and a 
corresponding gateway identifier of a gateway of the physical network; and 

based on contents of the notification message, modifying a map at the 
receiving node to include the network address information , the corresponding 
gateway identifier, and configuration data identifying at least part of a virtual 
network connection between the receiving node and the sending node on which 
to forward data messages through the gateway to a destination node : and 

utilizing the map to identify on which virtual network to forward the data 
messages through the gateway to the destination node to support forwarding of 
data messages through the receiving node . 

44. (Currently Amended) A computer system at a receiving node of a physical 

network that at least partially supports a virtual network connection, the computer 

system comprising: 

means for receiving a notification message from a sending node of the 
physical network, the notification message including network address information 
and a corresponding gateway identifier of a gateway of the physical network; and 

means for modifying a map at the receiving node to include the network 
address information , the corresponding gateway identifier, and configuration data 
identifying at least part of a virtual network connection between the receiving 
node and the sending node on which to forward data messages through the 
gateway to a destination node : and 

means for utilizing the map to identify on which virtual network to forward 
the data messages through the gateway to the destination node to support 
forwarding of data messages through the receiving node . 
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45. (Original) In a physical network supporting virtual private network connections 
terminating at customer edge routers coupled to a service provider network, a 
method comprising: 

at a first customer edge router: 

receiving a range of network addresses associated with host 

computers coupled to the first customer edge router; 

in addition to receiving the range of network addresses, receiving a 
security gateway identifier associated with a second customer edge router of the 
service provider network; 

generating and transmitting a notification message including the range of 
network addresses and the security gateway identifier to the second customer 
edge router; and 

at the second customer edge router: 

receiving the notification message; 

based on contents of the notification message, generating a map to 
include the range of network addresses and a corresponding virtual 
private network connection between the second customer edge router and 
first customer edge router; and 

prior to forwarding data messages through the second customer 
edge router to a computer having a network address in the range of 
network addresses, utilizing the map to identify on which virtual private 
network to forward the data messages. 

46. (New) A method as in claim 1 further comprising: 

generating a map at the second node based on the network address 
information and the corresponding gateway identifier of the gateway for routing of 
messages destined for the at least one host computer via the gateway identifier, 
the second node supporting forwarding of the messages to the at least one host 
computer through the gateway as specified by the corresponding gateway 
identifier. 
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47. (New) A method as in claim 2, wherein transmitting the notification message to 
the second node includes: 

transmitting the notification message from a first customer edge node 
through a path including a service provider network to a second customer edge 
node, the second customer edge node configured to utilize the network address 
information and the corresponding gateway identifier to create a map specifying 
the gateway in the physical network as specified by the corresponding gateway 
identifier on which to forward messages from the second customer edge node 
through the service provider network to the first customer edge node to the at 
least one host computer. 

48. (New) A method as in claim 47, wherein transmitting the notification message 
from the first customer edge node through the path including the service provider 
network to the second customer edge node includes: 

transmitting the notification message to a first service provider edge router 
in the service provider network, the first service provider edge router configured 
to distribute the notification message to multiple other service provider edge 
routers in the service provider network. 

49. (New) A method as in claim 48, wherein each of the multiple other service 
provider edge routers in the service provider network is configured to identify 
which virtual private network the corresponding gateway identifier is associated 
with for purposes of advertising the network address information and the 
corresponding gateway identifier to appropriate customer edge nodes, a given 
provider edge router of the other service provider edge routers configured to 
receive the notification message from the first service provider edge router and 
forward the network address information and the corresponding gateway 
identifier to the second customer edge router. 
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50. (New) A method as in claim 49, wherein the given service provider edge router is 
configured to determine a virtual private network to which the notification 
message pertains based on use of a route target extended community attribute. 



51 . (New) A method as in claim 47 further comprising: 

maintaining at least one encryption key in the map to enable the second 
customer edge node to identify how to encrypt information transmitted to the at 
least one host computer. 



